[Condor-users] User based authentication in Condor

[Felix Wolfheimer <f.wolfheimer@xxxxxxxxxxxxxx>]

Hi,

I'm currently testing the user based authentication as I want to
replace our previous host based authentication. I'm facing some issues
(probably caused by my limited understanding about how to set this up
properly). I started with a single machine (central
manager/submit/execute host) as testbed for the new mechanism (Windows
Server 2003 R2). This is what I've done:

1. Inserted the following settings into the local config file:

# All users in our domain should be allowed to query the pool and submit jobs
ALLOW_READ            = *@<our_domain>/*.$(UID_DOMAIN)
ALLOW_WRITE           = *@<our_domain>/*.$(UID_DOMAIN)
# only I have admin and owner rights
ALLOW_ADMINISTRATOR   = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
ALLOW_CONFIG          = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
ALLOW_OWNER           = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)/*.$(UID_DOMAIN)
ALLOW_NEGOTIATOR = condor_pool@$(UID_DOMAIN)/$(HOSTNAME)

2. Registered the shared secret using condor_store_cred -c add (worked OK)

3. Restarted Condor

Now, the daemons can't communicate with the master and in the master
log I can see:

06/03/11 17:13:04 Adding to resolved authorization table:
unauthenticated@unmapped/10.2.10.7: DENY_DAEMON
06/03/11 17:13:04 PERMISSION DENIED to unauthenticated@unmapped from
host 10.2.10.7 for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:
10.2.10.7,<our_machine_name>

Any idea what could cause this? I've read the section 3.6 of the
manual carefully and found domething about a "map file". Is it
necessary to somehow map the "unauthenticated@unmapped" to something
meaningful using the map file (To be honest I did not fully understand
what the map file does)?

Thanks for your help!